450+ experts on 30 subjects ready to help you just now
Starting from 3 hours delivery
Remember! This is just a sample.
You can get your custom paper by one of our expert writers.Get custom essay
121 writers online
“There are only two types of companies: those that have been hacked, and those that will be.” Robert Mueller, FBI Director, 2012. Cyber security has become a leading concern for many companies with new challenges emerging daily. Hilton Hotels faces the reality of these daily challenges, creating a dire need to identify, assess, and respond in order to mitigate their associated risks. As a leading competitor in the hospitality industry, we are constantly under attack by cyber criminals. We are not alone in this. There have been numerous successful attacks on others in our industry, causing drastic financial loss and stakeholder concern. We must act, as an organizational whole, to implement a proper course of action.
What are the chances of a cyber-attack hitting our organization/Is it possible that cybercriminals could be in our systems right now? If so, who is our greatest risk?
The chances of a cyber-attack hitting our organization is more likely than not. In today’s technologically dominated world, the threats are so numerous that the question is not “if” we will get attacked, but when. Whenever credit card information or sensitive data are stored, there is high likelihood of security breaches in an attempt to either acquire or alter the said data.
There is a high probability that there are cyber criminals in our system right now. Many of the recent cyber security breaches were discovered to have been going on for months, even years, before being detected. Our greatest risk is the volatility and ineptitude of the end users of our information technology database and system. In addition, employees that access our network from personal devices present another security risk. Considering the sophistication of today’s personal and mobile computers, with the added complexities of cloud server technology, it is more difficult than ever to not only prevent cyber-attacks, but to detect them.
The probabilities of a malware or other viral attack is greatest from dissatisfied employees, according to a 2013 mathematical research study by the City University of London. The research also indicates the key sources of these infections were transmitted through the use of personal computing devices that were brought into the workplace and or linked to the company’s information system. The probabilities are as follows on page two:
The study discloses that this data is based on a sample and cannot possibly show the truest probabilities of cyber-attacks because it is impossible to parametrize all of the likely variables that could lead to a cyber-security breach. Therefore, the likelihood of a cyber-attack against us is probably greater than these numbers indicate due to the nature and magnitude of the personal information for which we are responsible.
In 2012 Wyndham Hotel Group was hacked in what is now known as one of the worst cyber-security breaches of all time. Wyndham Hotels was responsible for allowing three separate instances of unauthorized access to their computer network and property management servers, which includes their customer’s payment card account numbers, expiration dates and security codes. 619,000 customer accounts numbers were compromised, totaling $10.6 million in fraudulent charges.
Breach 1: In April 2008, intruders hacked into a hotel’s local computer network that was connected to the internet and their property management system. During the following month, the intruders used a brute force attack to compromise an administrator’s account. Using this technique, 212 accounts were locked out before they successfully gained access. Due to Wyndham’s inadequate computer inventory system, they were unable to locate the computers causing the account lockouts – leaving them unaware of their network’s compromise for four months. Additionally, because of inadequate security measures between the individual hotel’s system and the corporate system, once the intruders accessed the administrator account, they were able to access the property management systems of multiple Wyndham hotels. The server operating system used by the hotel was outdated and no longer supported by its vendor – therefore, they were not receiving security updates for three years. Once gaining access to multiple servers, the intruders installed memory-scraping malware in order to access card data as payments were processed. In addition to stealing active data, they also accessed and stole files containing past unencrypted account information. Through breaking into one hotel’s network, the intruders were able to access forty-one separate hotels and steal over 500,000 cards account information.
Breach 2: In March 2009, intruders again accessed the hotel’s network through a service provider’s administrator account. In addition to using the same memory-scraping malware to steal information from servers of more than thirty hotels, they also reconfigured Wyndham’s software to have their systems create unencrypted files of all guests at the affected hotels. Due to this breach, 50,000 customer accounts were accessed and used for fraudulent charges. Wyndham personnel did not discover the breach until numerous customers made complaints.
Breach 3: In late 2009, intruders again gained access to Wyndham’s network through an administrator account. And because nothing was done to limit the access between and among Wyndham hotels, intruders again used the same memory scraping malware to steal 69,000 customers’ account information from twenty-eight hotels. Again, Wyndham did not detect the intrusion, but was informed by a credit card company. (https://consumermediallc.files.wordpress.com/2015/08/120626wyndamhotelscmpt.pdf)
Cyber security is a large part of our organization’s risk assessment and serves an important role in ensuring our objectives are met. The cyber risk assessment plays a key role in influencing management’s decisions regarding control activities and in determining what is protected and how it is protected.
We must assess the likely attack methods and prepare defense strategies in response. As reflective in the probabilities chart above, attacks can be both internally and externally sourced. We must implement preventative and detective controls, with general information technology controls included. These controls will only be effective if communication is sparked when a control indicates a problem. To ensure timely action occurs during a suspected breach, a map of individuals who must be informed should be created. As we saw with Wyndham Hotels, the breaches lasted for months without anyone’s knowledge. With active controls and effective communication strategies, we can mitigate these risks.
First, we should “establish ownership of the problem on a cross departmental basis.” A senior officer with interdepartmental authority, other than the CIO, should lead a team. Next, we should “appoint a cross-organization cyber-risk management team with representation from all stakeholder departments. Then, we must meet regularly and develop reports to the board.” Executives should track and report quantifiable metrics of the business impact of cyber threat risk management efforts. Internal audits of cyber-threat risk management effectiveness should be conducted quarterly. Then, we must “develop and adopt an organization-wide cyber-risk management plan and internal communications strategy across all departments and business units.” All stakeholders must participate in developing the corporate plan and feel “bought into it.” Lastly, we must “develop and adopt a total cyber-risk budget of sufficient recourses.” Because cyber security affects the entire organization, its budget should reflect that, by not being bound to one department.
We should also ask ourselves the following questions: “What data, and how much data, are we willing to lose or have compromised? How should our cyber-risk mitigation investments be allocated among basic and advanced defenses? What options are available to assist us in transferring certain cyber risks?”
The following are controls we should consider. 1) Identify the most risky touch points and ensure that we have the proper firewalls in place between individual hotel systems and the corporate system 2) Educate our employees on the proper procedures to prevent cyber-attacks on our company. 3) Develop or purchase software that links the daily information modifications with a master file and notifies the proper officials when data has been changed or extracted from a day to day period. 4) Areas requiring a password should be limited to three login attempts, exceeding this threshold should result in account suspension with notification to proper officials. 5) After five account suspensions, an alert with inventory numbers/IP address should be sent to the proper officials.
Once the suggested controls are implemented, the following should be practiced by management to monitor these controls: 1) There should be ongoing monitoring, both daily and periodically. Some information must be checked daily to ensure controls are working as required. 2) There should also be event-driven monitoring – “discrepancies, or even frauds, may result within normal processing or in special circumstances, such as where there are large-value transactions. In many IT environments, malicious attacks are likely. Consequently, specific controls should be in place to detect and report unusual activities to an entity within the organization that is chartered specifically to investigate and determine if preventive or corrective actions should be applied. Such monitoring controls are complementary to the normal controls employed and provide assurance on the effectiveness of those controls or early warning that they may have been breached.” 3) We must also practice continuous monitoring by implementing technology that monitors and assess particular controls on a continual basis. 4) We should conduct special reviews on a quarterly basis for control assessment – “Sarbanes-Oxley legislation in the United States requires cyclical control assessments. Although the board of directors is required to make statements regarding the effectiveness of internal controls, management actually must provide the assurances to the board, and the internal and external auditors must perform sufficient audit work to attest to these assurances.” 5) Lastly, we must perform audit reviews – formal reviews of infrastructure, process, and technology implementation should be performed so the CAE can assess the reliability and usefulness of the controls.
In order to protect ourselves from the internal and external threats to our cybersecurity, we need to practice multiple audit techniques. We must check behind our employees and our systems to ensure that our information is safe from both misappropriation and altering of information. Our main types of audit work can be broken down into two areas: preventative and detective/damage control. Preventative audit work ensures that we are doing everything possible to keep cybersecurity threats from invading our company’s data, while damage control-oriented audit work will work to limit the amount of harm done in the case of a data breach.
For our preventative audit work, we must monitor our employees to ensure they are following the security procedures addressed in question four. These involve a number of different auditing procedures. One of the most important of these is ensuring duties are properly segregated. Our auditors will come behind our workers and ensure they only have access to materials for which they are authorized. This is beneficial for two reasons. First, it ensures no employee can cause undue damage to the company either intentionally or unintentionally. Second, it prevents us from suffering the same problems as Wyndham, when their employees’ computers were compromised and used to steal data from across networks. As a final preventative audit procedure, we must randomly sample data to see if it is properly classified and accessible to only those who should be able to see or alter it.
For detective/damage control audit work, we need to ensure every activity that might compromise data leaves behind a trail. Not only do our audits need to be performed in order to prevent security threats, we also must ensure that we are ready in case of a successful attack. As KPMG points out in their security advisories (KPMG, 2015), we can lessen the damage of an attack that gets through some of our systems if we respond to the event correctly. Audit work is an important part of checking to see if we are properly prepared. We can audit our responses to these events before they happen by conducting simulation hacks and observing to see what our response teams do well or poorly. (http://advisory.kpmg.us/content/dam/kpmg-advisory/PDFs/RiskConsulting/cyber-incident-mistakes-forensic-focus.pdf)
Our audits need to be regular, random, and thorough. Our employees need to expect they will be audited in the future; however, they should not be notified of planned audits. This will incentivize them to follow security procedures at all times.
We provide you with original essay samples, perfect formatting and styling
To export a reference to this article please select a referencing style below:
Where do you want us to send this sample?
Be careful. This essay is not unique
This essay was donated by a student and is likely to have been used and submitted before
Download this Sample
Free samples may contain mistakes and not unique parts
Sorry, we could not paraphrase this essay. Our professional writers can rewrite it and get you a unique paper.
Please check your inbox.
We can write you a custom essay that will follow your exact instructions and meet the deadlines. Let's fix your grades together!
Are you interested in getting a customized paper?Check it out!